Dear User

Microsoft no longer supports your version of the Internet browser and no longer provides it with security updates. As a result, it is also no longer possible to use modern web technologies that are required for the Vienna Airport website you are accessing.

If you want to use this page correctly and with full functionality, please switch to a current version of your Internet browser.

If you are using Internet Explorer 10 or higher and receive this message, please deactivate the compatibility mode for our site.

Yours sincerely,

Your Vienna Airport Team

Data protection policy

A. General

The controller within the meaning of the EU General Data Protection Regulation 2016/679 (hereinafter also "GDPR") and other national data protection laws of the member states as well as other data protection provisions is:

Flughafen Wien Aktiengesellschaft
Flughafen
1300 Wien-Flughafen
Österreich
Tel.: +43 1 7007-0
Website: www.viennaairport.com

hereinafter also referred to as "FWAG" or "we".

The role of the "controller" is characterised by the fact that the controller decides on the purpose and means of the processing of personal data.

Personal data is regularly processed in the course of the operation of an airport. This is not always done by the airport operator. For example, the processing of personal data related to flight operations is carried out under the responsibility of the respective airline.

This privacy statement only covers processing activities for which FWAG is the controller.

The FWAG data protection officer can be contacted at:

datenschutz@viennaairport.com

and by post: Vienna Airport AG, P.O. Box 1, 1300 Vienna Airport with the addition of "General Secretariat / Data Protection Officer".

Personal data is all information that relates to an identified or identifiable person, such as name, date of birth, address, but also the content of email correspondence or behaviour on websites (hereinafter also referred to as "personal data" or just "data"). There are special categories of personal data that are particularly protected by law. These include, for example, data that reveals religious beliefs or trade union membership, health data, etc.

As a matter of principle, we collect and use personal data of data subjects only,

  • if the data subject consents to the processing of his/her data, or
  • insofar as it is necessary for the establishment, administration and performance of contracts or for the provision of our services, or
  • to the extent that it is necessary for compliance with legal requirements or we are obliged to do so by law, or
  • to the extent that it is justified on the basis of a legitimate interest

In points B and below, we describe each processing activity in detail. Please note that not all processing activities described below are carried out in relation to all data subjects. For example, the information provided under the point "Lounges" only applies to individuals who visit our lounges and the information provided under the point "Competitions" only applies to individuals who participate in our competitions.

We only disclose personal data to others (so-called "recipients") if and insofar as this is necessary and permitted. Details of the respective recipients can be found below under the individual data processing operations. If necessary, we may also disclose your personal data to a competent authority or a competent court.

In addition, we sometimes use external service providers (so-called "processors") who process personal data on our behalf. These have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored. If we use processors, they are named under the "Recipients" section of the respective processing activity.

It may happen that personal data is transferred by us to countries outside the European Economic Area (so-called third countries). In this case, we ensure that the legal requirements for such transfers are complied with so that the personal data is protected accordingly. For transfers to third countries, we comply, for example, with adequacy decisions of the European Commission, enter into standard data protection clauses adopted by the European Commission, comply with binding internal data protection rules or rely on the exemptions for certain cases regulated by law. If we transfer personal data to third countries or intend to do so, you will find the relevant information under the item "Recipients" or a separate item of the respective processing activity.

The applicable data protection law grants you, as a data subject, comprehensive data subject rights vis-à-vis us, the data controller, with regard to the processing of your personal data, of which we inform you below. To exercise these rights (with the exception of the right to complain to the competent data protection authority), please contact datenschutz@viennaairport.com.

If you wish to unsubscribe from any of our newsletters or have any questions regarding the sending of a newsletter from us, please contact newsletter@viennaairport.com.
 

Right to withdraw consent given in accordance with Article 7(3) of the GDPR

You have the right to withdraw your consent to the processing of data at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned unless further processing can be based on a legal basis for processing without consent. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Right of access pursuant to Article 15 of the GDPR

In particular, you have the right to obtain information about your personal data processed by us, the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the intended storage period or the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it has not been collected from you by us, the existence of automated decision-making including profiling and, where applicable, meaningful information about the logic involved and the implications for you and the intended effects of such processing, as well as your right to be informed about the safeguards pursuant to Article 46 of the GDPR in case of onward transfer of your data to third countries.  

Right of rectification pursuant to Article 16 of the GDPR

You have the right to have any inaccurate data relating to you corrected without delay and/or to have any incomplete data held by us completed.

Right to erasure pursuant to Article 17 of the GDPR

You have the right to request the deletion of your personal data if the conditions of Article 17 (1) DSGVO are met. However, this right does not apply in particular if the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

Right to restriction of processing under Article 18 of the GDPR

You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data that you dispute is being verified, if you object to the erasure of your data due to unlawful data processing and instead request the restriction of the processing of your data, if you need your data for the assertion, exercise or defence of legal claims after we no longer need this data after the purpose has been achieved or if you have objected on the grounds of your particular situation as long as it has not yet been determined whether our legitimate grounds prevail.

Right to data portability pursuant to Article 20 of the GDPR

You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller if the conditions of Article 20 DSGVO are met and insofar as this is technically feasible.

Right to object pursuant to Art. 21 DSGVO

If we process your personal data within the framework of a balancing of interests on the basis of our overriding legitimate interest (Art. 6(1)(f) DSGVO), you have the right to object to this processing with effect for the future at any time on grounds arising from your particular situation.

If you exercise your right to object, we shall cease processing the data concerned unless we can demonstrate compelling overriding reasons for the processing which override your interests, fundamental rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.

If your personal data is processed by us for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing. If you exercise your right to object, we will stop processing the data concerned for direct marketing purposes.

Right to lodge a complaint with a supervisory authority under Article 77 of the GDPR

If you consider that the processing of personal data concerning you infringes the GDPR, you have - without prejudice to any other administrative or judicial remedy - the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement. In Austria, the competent supervisory authority is the

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
https://www.dsb.gv.at/

B. Website, cookies, correspondence and webshop orders

When you visit our website, we process personal data about you:

  1. In part, our system automatically collects data and information from the computer system of the calling computer - i.e. from your computer. We use this data to provide the website and to create so-called log files about the accesses to our website.
     
  2. In addition, we use so-called "cookies"to make our website more user-friendly and to analyse the surfing behaviour of our users on our website.

a) Description, scope and purpose of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer

The following data is collected in this process:

  • Information about the browser type and the version used
  • Language and version of the browser software
  • The user's operating system and its interface
  • The user's internet service provider
  • The user's IP address
  • The date and time of access and time zone difference from Greenwich Mean Time (GMT)
  • Amount of data transferred
  • Websites from which the user's system accesses our website
  • Websites that are accessed by the user's system via our website
  • Access status/HTTP status code

The data is also stored in the log files of our system. Storage of this data together with other personal data of the user will not take place.

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.  

b) Legal basis for data processing

The legal basis for the temporary storage of the personal data and the log files is our legitimate interest, which lies in the pursuit of the above-mentioned purposes, in particular ensuring the functionality of the website and guaranteeing the security of our information technology systems (Art. 6 para. 1 lit. f DSGVO).

c) Recipient

The personal data is disclosed to IT service providers for the purpose of maintaining the functionality of the online services. In order to make the website available in a technically barrier-free manner, purely technical data (IP address, web browser, referrer website) is transmitted to the processor AccessiWay GmbH (Austria) and to the sub-processors AccessiWay S.R.l (Italy) and, on the basis of an adequacy decision by the Commission, AccessiBe Ltd (Israel).

d) Retention period

Personal data is generally deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of personal data to provide the website, this is the case when the respective session has ended.

IP addresses are stored for a period of one year to ensure the operational security and integrity of our systems.

a) Description, scope and purpose of data processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. If you as a user call up our website, cookies are stored on your computer system. Each cookie contains a characteristic string of characters that enables your browser to be uniquely identified when you return to our website. We use some cookies to ensure the functionality of our website (so-called "functionally necessary cookies"). In addition, we also use cookies to analyse the surfing behaviour of our users and to be able to draw conclusions from this to improve our website (so-called "other (non-functionally necessary) cookies").

b) Legal basis for the processing

The legal basis for the processing of personal data using functionally necessary cookies is our legitimate interest, which lies in particular in the provision of our website (Art. 6 para. 1 lit. f DSGVO).

The legal basis for the processing of personal data using (non-functionally necessary) cookies for analysis purposes is the user's consent in this regard (Art. 6 para. 1 lit. a DSGVO). In the case of certain (non-functionally necessary) cookies, the legitimate interest also comes into consideration, which in the case of analysis cookies lies in the statistical analysis of user behaviour for optimisation and marketing purposes (Art. 6 para. 1 lit. f DSGVO).

c) Further information and transfer to recipients outside the EEA

Further information on the data processing activities in connection with the cookies we use can be found in the privacy statements of the respective providers linked below. There you will also find the measures that ensure lawfulness in the event of a transfer to a recipient outside the European Economic Area. As a rule, the lawfulness of the transfer is ensured by the conclusion of standard data protection clauses.

d) Retention period

Unless the storage of cookies is influenced by the user himself by exercising the options of objection and removal, you will find the retention period of the respective cookies in the corresponding column of the table.

e) Objection and removal options

Cookies are stored on the user's computer and transmitted from it to our site. Therefore, you as a user also have control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

Each browser differs in the way it manages cookie settings. An explanation of how to change your cookie settings can be found in each browser's help menu or on the browser provider's website.

a) Description, scope, purpose and legal basis of data processing

We process your personal data (such as name, contact details, message content, date and time of contact) that you transmit to us by email, contact form, fax, mail or telephone, in each case not for the purpose of preparing or fulfilling a contract, for our operational purposes (inquiry response, legal prosecution and legal defense). This data is processed by us on the basis of our overriding legitimate interests (interest in responding to inquiries, legal prosecution as well as legal defense) pursuant to Article 6 (1) (f) GDPR. In case of contact via social media channels, please also refer to Section D. "Social media".

In addition, we process your personal data (such as name, contact details, order information, offers, payment information) that you transmit to us as part of the ordering process in our webshop or otherwise by email, contact form, fax, mail or telephone, in each case for the purpose of preparing or fulfilling a contract, for the purpose of performing the contract (fulfillment of contractual obligations and exercise of contractual rights; implementation of pre-contractual measures at the request of the data subject). The legal basis for this data processing is, if applicable in addition to the legitimate interests (see first paragraph), the "performance of the contract" pursuant to Article 6 (1) (b) GDPR.

b) Recipients

A transmission of your data to third parties will take place if

(i) the payment method selected by you requires this (transmission to the payment service provider, e.g. when paying by credit card),

(ii) if Flughafen Wien AG does not conclude contracts in its own name, but mediates such contracts between you and third parties (transmission to your contractual partner, e.g. transmission of CAT ticket order data to City Air Terminal Betriebsgesellschaft m.b.H., Postfach 1, 1300 Vienna Airport, www.cityairporttrain.com), or

(iii) if this should otherwise become necessary by way of exception for the performance of the contract.

The legal basis for these transfers is the "performance of the contract" pursuant to Article 6 (1) (b) GDPR.

c) Retention period

Your data will only be stored for as long as is necessary to fulfill the aforementioned purposes, but for no longer than three years after the respective contact has been made or after fulfillment of the respective contract, and will then be deleted immediately. Messages with business content sent to us will be stored on the basis of Article 6 (1) (c) GDPR, if necessary beyond this period, insofar as this is necessary due to our legal obligations (in particular tax and company law retention obligations), and then deleted immediately.

C. Vienna Airport-App

We store the data that is required to provide the features of the app. You can partially control which data is collected via the settings in the app. When you use our app, our system collects the following data and information in particular automatically and for technical reasons:

Data collection Storage

Provided the user has given consent, we collect the following data using Google Analytics for Firebase ( https://support.google.com/firebase/answer/6318039?hl=de):

  • Number of users and sessions
  • Session duration
  • Operating systems
  • Device models
  • Region
  • First launches
  • App launches
  • App updates

Access logs are generated whenever the APP is used:
 

  • Client IP
  • Call
  • Date
  • Time
  • Operating system + version

When a flight is saved by the user:

  • Device ID of the user

If you have given us your consent to collect and process statistical user data using beacon technology and standard localisation services, the following data will also be collected:

  • Location
  • Pseudonymised user ID
  • IP address
  • Time of localisation

 

The purpose of the data processing is to provide the App with the features mentioned below and to improve the Airport's services.

Features of the App: 

  • Temporally unlimited reservation for a flight by means of
    • scanning the QR/barcode on your boarding pass
    • selection from the current list (24 hrs)
    • Enter flight number and date
  • Verification of the prebooked flight approx. 24 hours in advance
  • Info on departure/arrival time, terminal, airline and gate
  • Push notifications for the prebooked departure (info 24h and 6h in advance, go to gate, boarding, boarding completed)
  • Push notifications on pre-announced arrival (Expected arrival time, Approach, Landing, On position)
  • Push notifications on flight special events (gate change, delay, cancellation)
  • Info about parking facilities as well as their current occupancy rate
  • Shop & restaurant finder
  • Direct link to mobile website and relevant info of Vienna Airport
  • Info and timetable of bus, train, CAT to and from the airport
  • Airport map

The legal basis for the processing is the consent you may have given (Art. 6 para. 1 lit. a DSGVO). Furthermore, the processing is necessary in order to be able to offer you the app with all the above-mentioned features (Art. 6 para. 1 lit. b DSGVO).

The legal basis for the processing of personal data in connection with the improvement of the airport's offer is our legitimate interest, which lies in particular in the improvement of our offers, services and the features of our app (Art. 6 para. 1 lit. f DSGVO).

The personal data will be disclosed to the following recipients:

  • For maintenance purposes, the manufacturer of the APP software has access to log data and flight registrations in the system
  • Push messages for flights saved by users are transmitted via Apple (iPhone) or Google (Android)
  • Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google LLC is Privacy Shield certified, which ensures an adequate level of data protection; however, access to data by foreign authorities under the Cloud Act may occur.

In addition, if you have given us consent to collect and process statistical user data using beacon technology, your data will be disclosed to the following recipients:

Square Metrics GmbH, Köpenicker Straße 154, 10997 Berlin, Germany;

Die Daten zur Bereitstellung der App werden nach Erreichung des Zweckes ihrer Erhebung gelöscht (z.B. Device-ID nach 24 Stunden nach geplanter Flugzeit des gespeicherten Fluges).

Die statistischen Nutzerdaten, welche wir mit Ihrer Einwilligung mittels Beacon-Technologie verarbeiten, werden spätestens 24 Stunden nach ihrer Erhebung gelöscht. Daten zu Ihrer Einwilligung werden 18 Monate nachdem Sie Ihre Einwilligung widerrufen gelöscht.

D. Social media

For the purposes of targeted and modern corporate presentation and communication as well as up-to-date customer service, we use the services of the following social media providers to present ourselves and communicate with you via our respective accounts:

Details of the processing involved in communicating with you via these media can be found at Correspondence.  

When you use our social media offer, your data will also be processed by the respective social media provider itself for its purposes. You can find information on the respective data processing under the links above.

When you browse our Facebook page https://www.facebook.com/flughafenwien/, so-called Insight data is also processed as part of the "Insights" function. Facebook makes this function available to operators of professional Facebook pages. With this function, we can see how successful our Facebook page is and where we can still improve our offer for you. For the data processing associated with Facebook Insights, we are jointly responsible with Facebook under data protection law in accordance with Art 26 DSGVO.

For this reason, we have concluded an agreement with Facebook that specifies who is responsible for compliance with the GDPR, in particular with regard to your rights. Under this agreement, Facebook assumes primary responsibility under the GDPR for the processing of insights data and agrees to comply with all obligations under the GDPR with respect to the processing of insights data (see https://www.facebook.com/legal/terms/page_controller_addendum).

For more information about Facebook's data processing, please see https://www.facebook.com/privacy/explanation.

E. Correspondence

For information on how we process your personal data in the event that you contact us, please refer to Section B.3 "Correspondence and webshop orders”.

F. Newsletter

We store and process the personal data you provide when registering for the newsletter for the purpose of sending you information worth knowing about the topic covered in the respective newsletter by e-mail.

In addition, we store your IP addresses and the times of registration and confirmation for the purpose of verifying your registration and, if necessary, to be able to clarify a possible misuse of your personal data.

In relation to the specific newsletter you receive, we collect and process the time when you receive the newsletter, the time when you open and read the newsletter, your click behaviour and whether you forward the newsletter, if applicable. This processing is done for the purpose of improving our services and to be able to continuously adapt the newsletter content to the needs of the newsletter subscribers.

The legal basis for the processing of personal data in connection with the newsletter registration and sending is your consent (Art. 6 para. 1 lit. a DSGVO) or, with regard to the processing of your IP addresses used and times of registration and confirmation, our legitimate interest, which lies in the purposes described above, in particular in the proof of your registration and in the clarification of possible cases of misuse (Art. 6 para. 1 lit. f DSGVO).

The legal basis for the processing of personal data in connection with the specific newsletters you receive is our legitimate interest, which lies in the purposes described above, in particular in tailoring our newsletter content to the needs of newsletter subscribers (Art. 6 para. 1 lit. f DSGVO).

The personal data is disclosed to IT service providers.

In principle, we keep your personal data as long as you are registered for the newsletter. In addition, we store your personal data for 12 months as a precaution for verification purposes, as long as legal claims can be asserted in connection with the sending of the newsletter.

After you confirm your entry, an e-mail will be sent to your e-mail address. You are only registered for the newsletter after confirming the link in this e-mail. If you do not confirm the link within 24 hours, your information will be blocked and automatically deleted at the latest after one month.

If applicable, the personal data will be deleted earlier if you permissibly exercise the options of objection and removal.

G. Competitions

The personal data provided by participants to take part in a competition (co-)organised by us, i.e. usually title, name, email address, address and the contribution made in the context of the competition (e.g. selected answer option, uploaded photos, texts), will be processed by us exclusively for the purpose of the competition (drawing or selection of winners, notification of winners and dispatch of prizes).

The personal data of the winners, namely title, name, email address, the contribution made in the context of the competition (e.g. selected answer option, uploaded photos, texts), address, prize, proof of delivery of the prize and correspondence will be processed by us exclusively for the purpose of the competition management (drawing or selection of the winners, notification of the winners and dispatch of the prizes) as well as for documentation and evidence purposes.

The legal basis for the processing of the participants' personal data is their consent (Art. 6 para. 1. lit. a DSGVO) as well as the performance of the contract (Art. 6 para. 1 lit. b DSGVO).

Participation in our competitions is voluntary. You therefore provide us with your personal data voluntarily, without obligation. However, the processing of your personal data is necessary to enable you to participate in the competition. If you do not provide us with your personal data, you will not be able to participate in the competition.

The personal data may be disclosed to the following recipients:

  • IT service provider
  • Companies in whose cooperation we run competitions
  • Companies that send out prizes or that otherwise require personal data of the winners for the provision of the prizes

We keep personal data of participants for up to three months after the end of the participation period.

We generally retain personal data of the winners for up to 3 years after the prize has been sent. If required by statutory retention obligations, we will retain personal data beyond the aforementioned periods in accordance with these regulations. Furthermore, we retain personal data for as long as legal claims can be asserted in connection with the prize draw (in particular by winners in the case of the draw for non-cash prizes).

If applicable, personal data will be deleted earlier if you permissibly exercise the options to object and remove.

H. Events

In connection with events that we (co-)organise, we process personal data at different stages of the event organisation, starting with the sending of invitations, the creation of guest lists and the reporting of the event.

In order to be able to send invitations to our events, we process in particular the first and last name, title, business relationship and contact details of the (potential) guests. As part of the event registration process, you will be asked to provide some data (e.g. first and last name, email address). If you register via an online form, the date and time of registration will also be stored at the time of submission.

We process the personal data from the registrations received in order to organise the event and to prepare a guest list.

As a rule, we take pictures at our events in order to report on them in various internal and external media (e.g. print media, online platforms, websites, social media, etc.). The participants of the event can regularly be seen in these photographs.

The legal basis for the processing of data in connection with the sending of the invitation is any consent you may have given (Art. 6 para. 1 lit. a DSGVO) or our legitimate interest, which lies in particular in inviting people connected with us to our events (Art. 6 para. 1 lit. f DSGVO).

The legal basis for the processing of personal data in the course of registration for events is our legitimate interest in organising the event, maintaining a guest list and the possibility of contacting our guests if necessary (Art. 6 para. 1 lit. f DSGVO).

The legal basis for taking photographs is our legitimate interest, which lies in particular in reporting on our events (Art. 6 para. 1 lit. f DSGVO). If necessary, we also obtain consent for the taking or publication of photographs (Art. 6 para. 1 lit. a DSGVO).

The personal data may be disclosed to the following recipients:

  • IT service provider
  • Companies in whose cooperation we hold events
  • Security companies that provide security at events
  • Publication of image recordings in internal and external media (e.g. print media, online platforms, websites, social media, etc.)

Personal data is usually deleted immediately after the event, unless special circumstances in individual cases require continued storage. As a rule, we retain images taken at the event for 3 years. Depending on the event, we may select certain image recordings before the expiry of these 3 years, which we retain for a longer period for special occasions such as anniversaries or the like.

The personal data may be deleted earlier if you exercise your right to object and to have your data removed.

I. Video surveillance at Vienna Airport

The operation of the airport requires numerous security measures. In particular, video surveillance is used to be able to guarantee your personal safety.

Video surveillance with digital image recording at Vienna Airport:

We monitor the complete airport operation for

  • Prevention of possible violations against the Schengen Agreement,
  • Assessment and monitoring of incidents and dangerous situations,
  • Counter movement control (e.g. a passenger moves against a predefined movement device),
  • Empty detection of lift cars and escalators,
  • Monitoring of passenger boarding bridges,
  • Suspicious baggage detection,
  • Carrying out flow management (tracking and intervening in tourist flows),
  • Maintaining the protection of property and persons present at the airport, and
  • Preventing theft.
  • to prevent, contain and resolve conduct relevant to criminal law,

with exclusive evaluation in the occasion defined by the purpose.

Video surveillance on the departure ramp:

Video surveillance of the departure ramp (i.e. the road in front of the departure terminals that can be accessed by cars) is carried out for the purpose of prevention, avoidance and containment of criminal offences with exclusive evaluation in the event defined by the purpose designation as well as efficient processing on the departure ramp.

Video surveillance of the parking garages or parking spaces operated by FWAG:

This video surveillance is carried out for the purpose of self-protection (fulfilment of traffic safety obligations) as well as for the purpose of prevention, prevention and containment of criminal offences with exclusive evaluation in the occasion defined by the purpose designation.

Please note that not all parking garages or parking spaces in the vicinity of Vienna Airport are operated by FWAG. Information regarding the video surveillance of Parking garages and Parking spaces can usually be found at the entrance or entrance barrier.  

Video surveillance with digital video recording of the Post Partner office foyer:

This video surveillance system serves the purpose of security, in particular of the collecting recipients and their packages, the purpose of self-protection (protection of persons and property and protection of responsibility (fulfilment of traffic safety obligations, contractual liability towards customers, etc.) as well as for the purpose of prevention, containment and clarification of criminally relevant behaviour, with exclusive monitoring in the occasion defined by the purpose.

Video surveillance of ICT equipment pick-up stations:

The video surveillance of the ICT equipment pick-up stations in Office Park 1 and Car Park 8 serves the purpose of protecting the ICT equipment owned by Flughafen Wien Group. In particular, it is intended to prevent the commission of criminal offences or, in the event of an incident, to provide clarification."

The legal basis for the video surveillance is our legitimate interest, which lies in the pursuit of the above-mentioned purposes, in particular the prevention, containment and clarification of criminally relevant behaviour (Art. 6 para. 1 lit. f DSGVO, § 12 DSG).

On an occasion-by-cause basis, the personal data may be disclosed to one or more of the following recipients:

  • Competent authority or competent court (to secure for reasons of evidence in criminal cases)
  • Security authorities (for security police purposes)
  • Courts (for securing evidence in civil law cases)
  • Insurance companies (exclusively for the settlement of insurance claims)

In addition, with regard to the video surveillance with digital video recording of the foyer of the Post Partner office, disclosure to the following recipients may occur:

  • Collectors of packages (within the scope of traffic safety obligations, contractual liability and similar legal grounds)
  • Shipping companies, post office and all companies involved in the transport chain of the packages (within the scope of contractual liability and similar legal grounds)

We keep the data recorded by means of video surveillance for up to 30 days, unless longer storage is necessary in individual cases (e.g. if the video recording documents a criminal offence).

J. Use of the departure ramp as well as the car parks, parking lots and underground garages

If you use the departure ramp (that is the road in front of the departure terminal) or the car parks, parking lots or underground garages of Flughafen Wien AG, your personal data (number plate data, time and place of entry, time and place of exit, time of placement of the ticket into the machine, time of arrival at a speedometer and driving speed, amount of parking fee and payment method) for the following purposes:

  • Controlling and improving the flow of traffic, in particular ensuring efficient processing and avoiding traffic jams on the departure ramp
  • Control of legally compliant use (e.g. exceeding the free parking time, multiple accesses within 24 hours, compliance with the speed limits applicable in the multi-storey car parks)
  • Accounting of parking fees
  • Barrier opening
  • Protection of persons and facilities (e.g. prevention and prosecution of personal accidents, theft, vandalism and other criminal offenses)
  • Prosecution of misuse (e.g. exit without payment)

Information on video surveillance and the processing of image data when using the departure ramp, car parks, parking lots or underground car parks of Flughafen Wien AG can be found under Section I. "Video surveillance at Vienna Airport".

The legal basis for data processing for the execution of the contract (fulfilment of contractual obligations and exercise of contractual rights, in particular the billing of parking fees and the control of the legally compliant use) is the "performance of the contract" (Article 6 (1) (b) GDPR). The legal basis for data processing for other purposes (in particular for the processing of license plate data for the purpose of protecting people and facilities) is our legitimate interest, which lies in the pursuit of the purposes mentioned under point 1, in particular the protection of persons and facilities (Article 6 (1) (f) GDPR).

Depending on the occasion, the personal data may be disclosed to one or more of the following recipients:

  • Competent authority or competent court (to secure evidence in criminal cases)
  • Security authorities (for security police purposes)
  • Courts (to secure evidence in civil cases)
  • Insurance (exclusively to process insurance claims)
  • Payment service provider (e.g. when paying by credit card)

In principle, your data will only be stored for as long as is necessary to fulfill the stated purposes. The deletion of the number plate data and the driving speed data takes place automatically 24 hours after exiting, in the event of a breach of contract 8 weeks after receipt of payment of the outstanding claim and no later than 3 years after the breach of contract. In cases of breach of contract, data processing takes place on the basis of our legitimate interests in legal prosecution and legal defense in accordance with Article 6 (1) (f) GDPR. Insofar as required by law, your data will also be stored on the basis of Article 6 (1) (c) GDPR and deleted after the end of the statutory retention periods, in particular under tax law, of seven years after the end of the calendar year.

K. Easy Parking

When you book "Easy Parking" and drive your car into the Easy Parking zone, we record your name, email address/phone number and registration number. This ensures that you receive your car key and information about the parking space as quickly as possible on your return. Furthermore, we take a photo documentation of your vehicle with a mobile device to check the damage. If necessary, we can access the photos to clarify whether damage to your vehicle was already present before the Easy Parking service or only occurred in the course of it.

The legal basis for the collection of the contract data and the photo documentation is the "fulfilment of the contract" (Art. 6 para. 1 lit. b DSGVO).

The vehicle takeover, photo documentation and transfer of the vehicles is carried out by our subcontractor, "Assured Austria GmbH & Co KG" (Blumengasse 18/2, 1180-Vienna; FN 525526 h).

In addition, personal data may be disclosed to one or more of the following recipients on an occasion-related basis:

  • Competent authority or competent court (to safeguard for evidentiary reasons in criminal cases)

  • Security authorities (for security police purposes)

  • Courts (for securing evidence in civil cases)

  • Insurance companies (exclusively for the settlement of insurance claims)

  • Billing platforms

The deletion of the recorded images takes place - provided no damage was reported - 6 months after the return of the respective vehicle. The remaining data will be deleted after the expiry of the seven-year retention period required by tax law.

L. Boarding pass control PaxControl

At the entrance to the airside, which is the area in the terminals that is only accessible to certain people (e.g. passengers, crew members, employees), your boarding pass is scanned to check whether you are authorised to enter the airside. This also serves airport security purposes in particular. The following data will be processed: Name, PNR code, destination, airline, flight number, date, class, seat, sequence number (of the airline), status (if indicated by the airline), frequent flyer number (if indicated by the airline) and fast track indicator.

The processing activity serves to fulfil our legal obligation under Commission Regulation No 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security (Article 6(1)(c) of the GDPR) as well as our legitimate interest, which lies in the pursuit of the above purposes, in particular airport security (Article 6(1)(f) of the GDPR).

In the context of boarding pass control, personal data are disclosed to the following recipients:

  • IT service provider

We keep the personal data for 48 hours, after which it is deleted again.

M. Biometric boarding pass control Paxcontrol "Star Alliance Biometrics"

Star Alliance Biometrics (hereinafter: "SBH") is a product of Star Alliance Services GmbH (Frankfurt Airport Center 1, 5th Floor, 60546 Frankfurt / Main; hereinafter: "Star Alliance") and enables the voluntary biometric identification (facial recognition) of passengers at the airport. Flughafen Wien Group currently supports the use of the biometric identification service offered by SBH at individual, clearly marked boarding pass control gates before the security check ("Pre-security gates").

At these clearly marked gates, which have SBH's biometric identification service integrated, if you wish to use the biometric identification service, you will be asked to record a short video sequence, which will subsequently be transmitted to Star Alliance for the purpose of biometric matching with your biometric profile stored at SBH.

For this subsequent data processing in connection with the biometric matching in the area of responsibility of Star Alliance as well as for the registration with SBH and the use of the associated Star Alliance Navigator App, the Star Alliance Privacy Policy applies, which can be found at  https://staralliance.com/de/apps-privacy-policy

In case of a successful matching of your captured facial images with the SBH database, Star Alliance will transmit all necessary data of your boarding pass to Flughafen Wien Group (see pt. L), the airlock will open and you can continue your journey.

Please note:

Unless you have given or revoked consent in the Star Alliance Navigator App, you are neither permitted nor able to use the biometric identification service (successfully). Alternative means of boarding pass verification (e.g. boarding pass scan) are available to you. There is no obligation to use the biometric identification service.

Should you attempt to use the biometric identification service without being registered with SBH or without having given your consent to be identified at Vienna Airport - contrary to the express notice at the correspondingly marked airlocks - a video sequence/photo will nevertheless be taken of you and transmitted to the Star Alliance for biometric comparison. However, the identification will then fail and the identification process will end with an error message.

The legal basis for this processing is your express consent given in the Star Alliance Navigator App to be identified at Vienna Airport via the Star Alliance biometric identification service (Art. 9 para. 2 lit. a DSGVO). Star Alliance handles the consent management for Flughafen Wien Group.

The facial images are transmitted to the Star Alliance identification service. Star Alliance generates the biometric features from one of these facial images and matches them with the biometric template stored in their database and assigned to a specific passenger. The identification service requires a biometric database. This database is also provided by Star Alliance. There, the passenger voluntarily registers in advance by providing personal details, taking a photo, scanning an identification document and selecting the airports and airlines where the passenger wishes to have their person identified through the biometric process outlined above. For more information on this processing of your data by Star Alliance:  https://staralliance.com/de/apps-privacy-policy

The captured facial images are deleted immediately after transmission to the Star Alliance and are therefore not stored by Flughafen Wien Group.

N. Lounges (VIENNA Lounge and Sky Lounge)

In the event of your direct payment for the lounge visit by credit or debit card, we process your payment information (such as credit card company, card numbers, card expiry date, payment amount, service, date and time) for payment processing. The legal basis for this data processing is the fulfillment of a contract in accordance with Article 6 (1) (b) GDPR.

If you are the owner of certain credit cards, membership cards or other proof of access authorization that allows you free or discounted access to the lounge, we usually also carry out data processing on behalf of and under the responsibility of your contractual partner (e.g. airline, credit card company or tour operator), who acts as data controller in this regard. You can obtain information about this data processing from your respective contractual partner.

If you are the owner of certain credit cards, membership cards or other proof of access authorization that allows you free or discounted access to the lounge, we process the personal data stored on them, and possibly also on your boarding pass, (such as name, credit card company, card number, flight number, Time and date of your flight) as well as number of guests, type of guest (e.g. accompanied child), date and time of lounge visit for the purpose of billing our services to your contractual partner (e.g. airlines, credit card companies or tour operators) who offers you free or discounted access to the lounge . The legal basis for this data processing is the fulfillment of a contract in accordance with Article 6 (1) (b) GDPR as well as our legitimate interests (interest in establishment, exercise or defence of legal claims) in accordance with Article 6 (1) (f) GDPR.

In accordance with our house rules, we may also process your boarding pass data (name, flight number, time and date, booking class) and the time of your registration at the lounge reception for the purpose of identifying you as a departing passenger and our lounge guest, for the purpose of checking your permitted length of stay in the lounge and, if applicable, for the purpose of documentation for our and your contractual partner. The legal basis for this data processing is the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR and our overriding legitimate interests (interest in preventing the misuse of access authorizations, interest in efficient and customer-friendly service, interest in compliance with and enforcement of the house rules and their documentation) pursuant to Art. 6 para. 1 lit. f GDPR. We also process your boarding pass data to create evaluations (e.g. regarding the average maximum dwell time until departure) to optimize our services. This data is processed by us on the basis of our overriding legitimate interests (interest in service optimization) in accordance with Art. 6 para. 1 lit. f GDPR.

If you are the owner of certain credit cards, membership cards or other proof of access authorization that allows free or discounted access to the lounge, your personal data may be transmitted to your contractual partners (e.g. airlines, credit card companies or tour operators). If you pay for the lounge visit using a credit or debit card, your payment information will be transmitted to the respective payment service provider.

Your data will only be stored for as long as is necessary to fulfill the stated purposes and to answer any customer inquiries, but no longer than eight months after your access to the lounge. We may also store your data that we process to fulfill the contract (in particular invoice data) on the basis of Article 6 (1) (c) GDPR, insofar as this is necessary due to our legal obligations, in particular retention obligations under tax and corporate law (usually seven years after the end of the year to which the data refers).

O. Visitor World

When you register for an offer (e.g. tours, guided tours, round trips, etc.) in our Visitor World, we process the personal data you disclose in the course of registration, i.e. in particular your name, e-mail address, telephone number, address, payment information and the offer booked.

Your personal data is processed so that the booking can be processed (incl. registration, reservation confirmation and payment processing) and you can participate in the booked tour (inclusion in the participant list).

The provision of your personal data is a prerequisite for participation in Visitor World offers.

The legal basis for the processing of your personal data is the fulfilment of the contract or the implementation of pre-contractual measures (Art. 6 para. 1 lit. b DSGVO).

The personal data will be disclosed to the following recipients:

  • In the case of the Tower Tour: Austro Control, Österreichische Gesellschaft für Zivilluftfahrt mit beschränkter Haftung (the first and last names of the registered participants must be transmitted due to legal obligations to ensure safety)
  • In the case of the Austrian Shipyard Tour: Austrian Airlines AG (the first and last names of the registered participants must be transmitted due to legal obligations to ensure safety)
  • IT service provider

In principle, we keep your personal data until the contractual relationship has been fulfilled or terminated. In addition, we are subject to various storage obligations according to which personal data must also be stored beyond the contractual relationship, as is required, for example, due to storage periods under tax law. Furthermore, we may retain your personal data as long as legal claims can be asserted in connection with the contract. In the event of pending official or legal proceedings, your personal data will be retained until the end of the respective proceedings.

P. Contract and business partners

Contractual and business partners are requested to bring the contents under this point to the attention of the persons concerned, in particular their employees and organs.

We process personal data of our contractual and business partners or their employees and bodies for the purpose of

  • to take the necessary actions in the pre-contractual area,
  • to conduct our business, in particular to fulfil and settle the contracts concluded with contractual partners (including billing),
  • to comply with legal regulations and industry standards,
  • to communicate with contractual and business partners,
  • control, monitor and improve internal processes (for example within the framework of internal audits),
  • to maintain a contract database and
  • to improve internal processes.
  • to conduct marketing.

The legal basis for processing activities that are necessary for actions in the pre-contractual area and for the fulfilment and execution of a contract is the fulfilment of the contract or the execution of pre-contractual measures (Art. 6 para. 1 lit. b DSGVO).

The processing of personal data provided within the framework of the contractual relationship is necessary for the performance of the contractual relationship. If this personal data is not provided or not provided in full, we may not be able to fulfil our contractual obligations in full or may not be able to conclude the contract at all.

The legal basis for processing activities that are necessary to comply with legal provisions is the fulfilment of legal obligations (Art. 6 para. 1 lit. c DSGVO).

The legal basis for communication with our contractual and business partners varies depending on the nature and content of the correspondence and is based either on pre-contractual measures or the performance of a contract if the request is aimed at the conclusion of a contract, otherwise concerns the pre-contractual area or is directly related to the performance of a contract (Art. 6 (1) lit. b DSGVO), or on our legitimate interest, which lies in particular in maintaining our business contacts (Art. 6 (1) lit. f DSGVO).

The legal basis for processing activities related to the control, monitoring and improvement of internal processes is our legitimate interest, which lies in particular in promoting our company, improving our business processes, assessing and improving the effectiveness of our risk management and supporting our management in complying with the due diligence obligations incumbent upon them (Art. 6 (1) (f) DSGVO).

The legal basis for processing activities within the scope of our contract database is our legitimate interest, which lies in facilitating the selection of contractual partners for future business as well as the preparation and execution of contracts (Art. 6 para. 1 lit. f DSGVO).

The legal basis for processing activities for marketing purposes is our legitimate interest, which lies in particular in the performance of direct marketing (Art. 6 para. 1 lit. f DSGVO).

The personal data may be disclosed to the following recipients:

  • Affiliated companies
  • Tax advisors, auditors and attorneys
  • Other consultants (e.g. management consultants)
  • Banks
  • Insurance companies
  • Courts and authorities
  • IT service providers
  • other service providers (e.g. travel companies, driving services, hotels)

In principle, we keep your personal data until the contractual relationship has been fulfilled or terminated. In addition, we are subject to various storage obligations according to which personal data must also be stored beyond the contractual relationship, as required, for example, due to storage periods under tax law. Furthermore, we may retain your personal data as long as legal claims can be asserted in connection with the contract. In the event of pending official or judicial proceedings, your personal data will be retained until the end of the respective proceedings.

We also retain your personal data beyond the contractual relationship as part of our contract partner management. We will delete your data from our contract partner management if you object to such data processing or if there has been no business contact with you for three years.

The personal data may be deleted earlier if you exercise the objection and removal options in a permissible manner.

Q. Shareholders and Annual General Meeting

We process personal data of shareholders (in particular those pursuant to Section 10a AktG) or their proxies and other persons participating in the Annual General Meeting (the "Participants"), in particular name, address, date of birth, securities account number, number of shares, class of shares, if applicable, voting card number, in order to enable them to exercise their rights in the context of the Annual General Meeting.

We receive this data, among other things, from the depository bank forms or from the participants themselves on the occasion of registering for the Annual General Meeting, ordering admission tickets and/or granting proxies. Participants are generally obliged to provide us with the required information. The processing of personal data of participants is mandatory for the participation in the Annual General Meeting as well as for its proper preparation, execution and follow-up.

The legal basis for processing activities that are necessary to comply with legal provisions (in particular provisions under company law) is the fulfilment of legal obligations (Art. 6 para. 1 lit. c DSGVO).

The legal basis for processing activities that are not necessarily required to comply with legal provisions is our legitimate interest, which lies in particular in the proper preparation, implementation and follow-up of the Annual General Meeting (Art. 6 para. 1 lit. f DSGVO).

The personal data may be disclosed to the following recipients:

  • Affiliated companies
  • Tax advisors, auditors and attorneys
  • IT service providers

other service providers (e.g. back-office service providers, travel companies, driving services, hotels)

In principle, we keep your personal data for as long as it is necessary for the preparation, implementation and follow-up of the Annual General Meeting. This is generally until the completion of the follow-up work. In addition, we are subject to various storage obligations, according to which personal data must also be stored for a longer period of time, as required, for example, due to storage periods under tax law or company law. Furthermore, we may retain your personal data as long as legal claims can be asserted in connection with the Annual General Meeting. In the event of pending official or judicial proceedings, your personal data will be retained until the respective proceedings have been concluded.

R. Order Annual Report

We store and process the personal data you provide when ordering the annual report (usually your name, e-mail address and postal address) for the purpose of sending you the annual report of Flughafen Wien Group by post.

This data will be added to our mailing list so that you always receive the latest reports.

The legal basis for the processing of personal data in connection with the ordering of annual reports is both your and our legitimate interest, which lies in sending you the annual report by post in response to your request (Art. 6 para. 1 lit. f DSGVO).

The processing of your personal data is necessary in order to provide the service you have requested (delivery of the annual report). Without this data, we cannot send you the annual report by post.

The personal data will be disclosed to the following recipients:

  • Delivery services
  • Printers

We keep your personal data until you inform us that you no longer wish to receive the annual report. As soon as you have informed us of this circumstance, we will delete your data from the mailing list.

S. Airport ID Card

The provision of the Airport ID Card and its functionalities (determination of access authorization to certain parts of the sensitive part of the security area by means of electronic data comparison using two-factor authentication using a palm vein scan, in some cases additionally using authentication by comparing personal images via real-time video surveillance ) serves to ensure airport security in accordance with legal security requirements.

For these purposes, we process the following personal data of holders and applicants of the Airport ID Card:

  • Data that is transmitted to the Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (“BMK”) in accordance with Section 134a para 2 LFG for the purpose of the legally required background check, unless these data are transmitted directly to BMK by you or your employer via the BMK's ZÜP application [first and last names; birth names; gender; birth date; Place of birth; country of birth; nationalities; parents' first names; main residence during the last five years (country, city, postal code, street, house number, from/to date); Employment relationships during the last five years (each with type, organization, activity, from/to date), training and further education and any gaps during the last five years (each with type, organization, activity, from/to date); copy of a passport, identity card, alien passport or convention pass; foreign criminal record certificates or comparable evidence from the country of residence from the last five years in a certified translation in German or English, which must not be older than 6 months when presented for the first time; indication of the type of activity intended; Identity data based on consent for background check]
  • Contact details (telephone, email, address)
  • Title
  • Employer or client
  • Reason for the background check
  • Result of the background check
  • Safety training results
  • Number and validity period of the Airport ID Card
  • Access permissions
  • Places and timestamps of accesses
  • Palm vein scan
  • ID-photo
  • Image data from video surveillance cameras at the entry/access points at Vienna Airport
  • If applicable, vehicle access authorizations and vehicle data
  • If necessary, data collected as part of the inspection of files in accordance with Section 134a para 9 LFG

This data is processed in accordance with Art 6 para 1 lit c and Art 9 para 2 lit g GDPR for security purposes on the basis of legal security regulations, in particular the Implementing Regulation (EU) 2015/1998 and Section 134a et seq. LFG. If you are an employee of Flughafen Wien AG, your data will also be processed for the purpose of carrying out your employment relationship on the basis of Art 6 para 1 lit b and Art 9 para 2 lit b GDPR and on the basis of Art 6 para 1 lit f GDPR to safeguard our legitimate interests (documentation interest of the employer, interest in legal prosecution and legal defense).

Data pursuant to Section 134a para 2 LFG is transmitted to the competent authority (BMK) for the purpose of carrying out the legally required background checks.

The following IT service providers are recipients of data as our data processors:

FIEGL & SPIELBERGER Solution GmbH (Liebemannstraße F4/202, A-2345 Brunn am Gebirge)

Siemens AG Österreich (Siemensstraße 90, A-1210 Wien)

Your personal data will generally be stored until the expiry of the validity, blocking, return or refusal to issue your airport ID card and then deleted. Data will be stored for a longer period (i) if this is required by law (e.g. with regard to data relevant for accounting, which must be kept for seven years in accordance with Section 132 BAO) or (ii) if this is necessary for legal defense, law enforcement or to prove compliance with legal security requirements, until the expiry of the respective limitation periods under civil law or administrative criminal law (generally three years after expiry of the validity, blocking, return or refusal to issue your Airport ID Card). Video data is generally only stored for 48 hours, but may be stored for longer in the event of an incident (e.g. security breach). In case you are an employee of Flughafen Wien AG, your data may also be stored for up to three years after termination of your employment on the basis of Art 6 para 1 lit f GDPR to safeguard the legitimate interests of Flughafen Wien AG (employer's interest in documentation, interest in legal prosecution and legal defense).